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DETAILED ACTION 

This communication is in response to the amendments filed September 1, 2009 and 
December 9, 2009. Claims 1, 3, 5-14, 16, 18-27, 29, 31-39, 42-45, 47, 51-54, and 56-59 are 
pending. Claims 1, 14, 27, 48, and 57 are amended. Claims 46 and 55 are cancelled. Claim 59 is 
new. 

Election/Restrictions 

Applicant's arguments with respect to the restriction requirement have been fully 
considered and are persuasive. Accordingly, the requirement is withdrawn. 

Allowable Subject Matter 

The indicated allowability of claims 48 and 57 (the limitations of which are now present 
in claim 59) is withdrawn in view of the newly discovered reference(s) to Ko et al. (US Patent 
No. 6,789,202). Rejections based on the newly cited reference(s) follow. 

Response to Arguments 

Applicant's arguments filed September 1 , 2009 have been fully considered but they are 
not persuasive. 

Regarding the argument that claims 48 and 57 "should still be deemed allowable for the 
reasons set forth in the pending Office Action," the Examiner respectfully disagrees. As admitted 
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by the applicant, the claims are now "broader than the previous versions." Thus, this argument 
fails to comply with 37 CFR 1.1 1 1(b) because it amounts to a general allegation that the claims 
define a patentable invention without specifically pointing out how the language of the claims 
patentably distinguishes them from the references. Regardless, the argument is now moot in view 
of the new ground(s) of rejection. 

Regarding the argument that the combination of Malan, Poletto, and Katoh do not teach 
"lowering priority of traffic sourced from a network" because the Katoh patent merely teaches 
priority lowering, the Examiner respectfully disagrees. One cannot show nonobviousness by 
attacking references individually where the rejections are based on combinations of references. 
See In re Keller, 642 F.2d 413, 208 USPQ 871 (CCPA 1981); In re Merck & Co., 800 F.2d 1091, 
231 USPQ 375 (Fed. Cir. 1986). 

In this case, Malan, for example, teaches the monitor/regulator instructing the first 
routing device to block the undesirable network traffic that is being sourced from the first 
network domain in response to making said determination that the first network domain is 
sourcing the undesirable network traffic (see discussion of "StormBreaker" at p. 14 of 
provisional application 60/231,380). In other words, this differs from the claimed invention only 
insofar as the monitor/regulator blocks the traffic outright rather than lowering its priority. 
Katoh, on the other hand, teaches lowering the priority of undesirable traffic as an alternative to 
blocking it outright (see col. 4, lines 10-13). It would have been obvious to one of ordinary skill 
in the art at the time of the invention to further modify the system of Malan to lower the priority 
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of undesirable traffic as taught by Katoh in order to achieve the predictable result of easing 
congestion caused by the attack without running the risk of blocking innocent traffic entirely. 

Claim Rejections - 35 USC §103 

The following is a quotation of 35 U.S. C. 103(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set forth in 
section 102 of this title, if the differences between the subject matter sought to be patented and the prior art are 
such that the subject matter as a whole would have been obvious at the time the invention was made to a person 
having ordinary skill in the art to which said subject matter pertains. Patentability shall not be negatived by the 
manner in which the invention was made. 

Claims 1, 3, 5, 10-16, 18, 27, 29, 31, 36-39, 42, 43, 47, 51, 52, 56, and 58 are rejected 
under 35 U.S.C. 103(a) as being unpatentable over Malan et al. (US Pub. No. 2002/0032871, 
hereinafter "Malan") in view of Poletto et al. (US Pub. No. 2002/0032880, hereinafter 
"Poletto"), and further in view of Katoh et al. (US Patent No. 5,949,757, hereinafter 
"Katoh"). 

Note that Malan claims priority to and incorporates by reference three provisional 
applications: Nos. 60/231,479, 60/231,480, and 60/231,481, all filed on September 8, 2000. 
Except where noted below, all page and line numbers cited in connection with Malan refer to 
those in application No. 60/23 1 ,680. Since the numbering of the pages is inconsistent throughout 
the application, the numbers will refer to the pages as they were scanned into the PTO records 
(i.e., with page 1 being the cover sheet). 

Similarly, Poletto claims priority to and incorporates by reference provisional application 
No. 60/230,759, filed September 7, 2000. Except where noted below, all page and line numbers 
cited in connection with Poletto refer to those in application No. 60/230,759. Since the 
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numbering of the pages is consistent throughout the application, the numbers will refer to the 
pages as they are labeled (i.e., with page 1 corresponding to the third scanned sheet in the 
application). 

Regarding claim 1, Malan shows: 

• a first network domain (for example, an enterprise network: see first paragraph under 
"StormDetector" on p. 12); 

• a first routing device (comprising an attacker's router) at a boundary between the first 
network domain and public internetworking fabric (comprising an ISP network: see 
Fig. 4 and the paragraph spanning pp. 14-15) to route network traffic between the first 
network domain and the public internetworking fabric (implicitly disclosed as the 
typical functionality of a first-hop router: see last paragraph on p. 12); 

• a monitor/regulator (comprising the StormDetector analysis engine), either integrally 
disposed in said first routing device or coupled to the first routing device (see second 
paragraph under "StormDetector" on p. 12 and Figs. 2 and 4) to monitor the network 
traffic routed by said first routing device by analyzing flow records (comprising "flow 
statistics": see second and third paragraphs under "StormDetector" on p. 12 and note 
that StormDetector can be used in "source and transit networks" and "an attacker's 
originating network"), describing traffic conversation as indicated by a combination 
of source and destination addresses (comprising "flow statistics" as described above, 
further explained as being indicated by a combination of source and destination 
addresses in the paragraph spanning pp. 3-4), received from the routing device (note 



Application/Control Number: 09/706,503 Page 6 

Art Unit: 2442 

that the analysis engine receives flow statistics from all the routers in the attack path, 
including the attacker's router: see "StormProfiler" on p. 1 1), the monitor/regulator 
determining if the first network domain is sourcing undesirable network traffic 
(comprising determining that the attack originates in the enterprise network: see 
paragraph spanning pp. 14-15), comprising a denial of service attack in which the 
undesirable network traffic is launched against a target network device (for example, 
a target web hosting server: see "StormDetector" on p. 12 and "StormBreaker" on p. 
14) in order to undermine the operation of that target network device by 
overwhelming the target network device with network traffic (typical of denial of 
service attacks, and further explained at the first paragraph on p. 3), out of the first 
network domain (note that the attacker must send the traffic out of the enterprise 
network in order for it to reach the web host);. 
Malan further shows: 

• wherein said monitor/regulator makes said determination based on identifying 
malicious traffic at the routing device using network profiling (see 
"StormDetector" on p. 12, and note that StormDetector "instantly identify[ies] 
malicious traffic" and can be "employed at an attacker's originating network"), 
and 

• wherein said monitor/regulator instructs the first routing device to block the 
undesirable network traffic that is being sourced from the first network domain in 
response to making said determination that the first network domain is sourcing 
the undesirable network traffic (see discussion of "StormBreaker" at p. 14). 
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Malan does not explicitly show: 

• wherein said monitor/regulator makes said determination based at least in part on 
differential characteristics based on differential characteristics between request 
packets routed out of said network domain, and response packets routed into the 
network domain, and 

• wherein the monitor/regulator instructs the first routing device to lower the 
priority of the undesirably network traffic. 

Poletto shows identifying malicious traffic at a routing device (comprising a gateway) 
based on differential characteristics (comprising a ratio of request packets to acknowledgement 
packets) between request packets routed out of said network domain (comprising client request 
packets which are routed out of an attacker's domain), and response packets routed into the 
network domain (comprising server acknowledgement packets which are routed into the 
attacker's domain: see pages 15-16). Because both Malan and Poletto teach methods for 
identifying malicious traffic at a routing device, it would have been obvious to one of ordinary 
skill in the art to substitute one method for the other in order to achieve the predictable result of 
determining that the network domain is sourcing undesirable traffic. 

Katoh teaches lowering the priority of undesirable traffic as an alternative to blocking it 
outright (see col. 4, lines 10-13). It would have been obvious to one of ordinary skill in the art at 
the time of the invention to further modify the system of Malan to lower the priority of 
undesirable traffic as taught by Katoh in order to achieve the predictable result of easing 
congestion caused by the attack without running the risk of blocking innocent traffic entirely. 
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Regarding claim 3, the combination further shows wherein said monitor/regulator infers 
said differential characteristics based on aggregated statistics of said network traffic routed out of 
said network domain, and aggregated statistics of said network traffic routed into the network 
domain (comprising maintaining an analysis of the ratio over time, which necessarily involves 
maintaining information about the number of packets routed into and out of the domain). Note 
that in the combination described above, the ratio monitoring process of Poletto is executing on 
the routers of Malan, including the attacker's router. Thus, a request packet from the attacker 
would be routed out of the attacker's network domain (such as the enterprise network), and 
response packets would be routed into the attacker's network domain. 

Regarding claim 5, the combination further shows wherein said monitor/regulator, upon 
determining undesirable network traffics are being sourced out of said first domain, further stops 
said undesirable network traffic from being sourced out of said first domain (see Malan, 
paragraph spanning pp. 14-15). 

Regarding claim 10, the combination further shows wherein 

• said network further comprises a second network domain (ISP-B) including a 
second routing device (comprising a router in ISP-B) for routing network traffic 
out of and into the second network domain (see Fig. 2 on p. 13 of Malan); 

• said monitor/regulator further monitors the network traffic routed by said second 
routing device (note that the system of Malan monitors traffic statistics sent from 
ISP routers: see second paragraph on p. 11 and Fig. 2 of Malan), and determines if 
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at least a selected one of the first and second network domains is sourcing 
undesirable network traffic out of the selected one of the first and second network 
domains based on network traffic characteristics observed of network traffic 
routed through said first and second routing devices (comprising determining that 
the first network is the location of the attacker: see "StormDetector" on p. 12 of 
Malan). 



Regarding claim 1 1 , the combination further shows wherein said monitor/regulator 
determines if undesirable network traffics are being routed out of said first network domain 
through said first routing device based on network traffic characteristics observed of network 
traffic routed through said second as well as said first routing device (note that the analysis 
engine collects statistics from all routers in the attack path in order to track attacks to their 
source: see "StormTr acker" on p. 13 of Malan). 



Regarding claim 12, the combination further shows wherein said monitor/regulator 
determines if undesirable network traffics are being routed out of said second network domain 
through said second routing device based on network traffic characteristics observed of network 
traffic routed through said first as well as said second routing device (note that the analysis 
engine collects statistics from all routers in the attack path in order to track attacks to their 
source, and further note that the system would detect the source of the attack regardless of which 
domain it originated in: see "StormTracker" on p. 13 of Malan). 
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Regarding claim 13, the combination further shows wherein said monitor/regulator, upon 
determining undesirable network traffics are being sourced out of at least a selected one of said 
first and second network domains, further stops said undesirable network traffic from being 
sourced out of said first and second network domains (see paragraph spanning pp. 14-15, and 
note that the system would stop traffic at the source of the attack regardless of which domain it 
originated in). 

Regarding claim 42, the combination further shows wherein said monitor/regulator 
generates statistics concerning destination addresses and determines whether the first network 
domain is sourcing undesirable network traffic based on said statistics (see discussion of "flow- 
based statistics" in paragraph spanning pp. 3-4 of Malan). 

Regarding claim 43, the combination further shows wherein said monitor/regulator 
generates statistics concerning lengths of packets and determines whether the first network 
domain is sourcing undesirable network traffic based on said statistics (see discussion of "single 
packet statistics" in paragraph spanning pp. 3-4 of Malan). 

Regarding claim 47, the combination further shows wherein said monitor/regulator 
instructs a routing device to slow the undesirable network traffic (comprising slowing the attack 
traffic to zero: see paragraph spanning pp. 14-15 of Malan). 
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Claims 14, 16, 18, 27, 29, 31, 36-39, 51, 52, and 56 correspond to claims 1, 3, 5, 10-13, 
42, 43, 47 and are rejected for the same reasons as given above. 

Claim 58 is an apparatus claim which corresponds to claim 1 as addressed above. 
However, the claim includes the additional limitations of (a) the monitor/regulator generating 
statistics concerning destination addresses to determine whether the network domain is sourcing 
the undesirable network traffic, and (b) wherein said monitor/regulator instructs the routing 
device to lower a priority of the undesirable network traffic and/or slow the undesirable network 
traffic. It is noted that Malan teaches these additional features. Malan teaches the 
monitor/regulator generating statistics concerning destination addresses to determine whether the 
network domain is sourcing the undesirable network traffic (see discussion of "flow-based 
statistics" in paragraph spanning pp. 3-4), and further teaches wherein said monitor/regulator 
instructs the routing device to slow the undesirable network traffic (comprising slowing the 
attack traffic to zero: see paragraph spanning pp. 14-15). 

Claims 6-9, 19-26, and 32-35 are rejected under 35 U.S.C. 103(a) as being 
unpatentable over Malan (US Pub. No. 2002/0032871) in view of Poletto (US Pub. No. 
2002/0032880), and further in view of Katoh (US Patent No. 5,949,757) and Li (US Patent 
No. 5,473,599). 

Regarding claim 6, the combination does not show wherein said first network domain 
further comprises a second routing device for routing network traffic out of and into the first 
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network domain; and said monitor/regulator further monitors the network traffic routed by said 
second routing device, and determines if the first network domain is sourcing undesirable 
network traffic out of the first network domain based on network traffic characteristics observed 
of network traffic routed through said first and second routing devices. 

Li shows a network domain comprising a second routing device for routing network 
traffic out of and into the network domain (see col. 7, lines 30-45). It would have been obvious 
to one of ordinary skill in the art at the time of the invention to further modify the system of 
Malan with the second routing device taught by Li in order to reduce the burden on the first 
routing device. 

Note that such a combination would result in said monitor/regulator further monitoring 
the network traffic routed by said second routing device, and determining if the first network 
domain is sourcing undesirable network traffic out of the first network domain based on network 
traffic characteristics observed of network traffic routed through said first and second routing 
devices, since Malan teaches that all the routers in a network's routing infrastructure are used for 
collecting data: see first paragraph under "StormProfiler" on p. 1 1). 

Regarding claim 7, the combination further shows wherein said monitor/regulator 
determines if undesirable network traffics are being routed out of said first network domain 
through said first routing device based on network traffic characteristics observed of network 
traffic routed through said second as well as said first routing device (note that all the routers in a 
network's routing infrastructure are used for collecting data: see first paragraph under 
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"StormProfiler" on p. 11). 

Regarding claim 8, the combination further shows wherein said monitor/regulator 
determines if undesirable network traffics are being routed out of said first network domain 
through said second routing device based on network traffic characteristics observed of network 
traffic routed through said first as well as said second routing device (note that the analysis 
engine collects statistics from all routers in the attack path in order to track attacks to their 
source: see "StormTr acker" on p. 13 of Malan). 

Regarding claim 9, the combination further shows wherein said monitor/regulator, upon 
determining undesirable network traffics are being sourced out of said first network domain, 
further stops said undesirable network traffic from being sourced out of said first network 
domain (note that the analysis engine collects statistics from all routers in the attack path in 
order to track attacks to their source, and further note that the system would detect the source of 
the attack regardless of where it originated: see "StormTr acker" on p. 13 of Malan). 

Claims 19-26 correspond to claims 6-13 and are rejected for the same reasons as given 

above. 

Claims 32-35 correspond to claims 6-9 and are rejected for the same reasons as given 

above. 
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Claims 44 and 53 are rejected under 35 U.S.C. 103(a) as being unpatentable over 
Malan (US Pub. No. 2002/0032871) in view of Poletto (US Pub. No. 2002/0032880), and 
further in view of Katoh (US Patent No. 5,949,757) and Carr (US Patent No. 5,293,379). 

Regarding claim 44, the combination further shows wherein said monitor/regulator 
generates statistics concerning distributions of various fields in TCP/IP packet headers (see 
discussion of "single -packet statistics" in paragraph spanning pp. 3-4 of Malan) and determines 
whether the first network domain is sourcing undesirable network traffic based on said statistics, 
but does not show that the statistics are generated using time to live values. 

Carr shows that TCP/IP packet headers include time to live values (see Fig. 4 and col. 5, 
lines 27-36). It would have been obvious to one of ordinary skill in the art at the time of the 
invention to use the TTL field taught by Carr along with the statistics generation taught by Malan 
in order to provide an additional basis for determining that traffic is malicious. 

Claim 53 corresponds to claim 44 and is rejected for the same reason as given above. 

Claims 45 and 54 are rejected under 35 U.S.C. 103(a) as being unpatentable over 
Malan (US Pub. No. 2002/0032871) in view of Poletto (US Pub. No. 2002/0032880), and 
further in view of Katoh (US Patent No. 5,949,757) and Galloway (US Patent No. 
5,430,709). 
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Regarding claim 45, the combination further shows wherein said monitor/regulator tracks 
differences between outbound transmission control protocol (TCP) synchronize (SYN) and 
inbound response packets (ACKs) and determines whether the first network domain is sourcing 
undesirable network traffic based on said differences (see Poletto, pp. 16-17). 

The combination does not show tracking differences between finish (FIN) packets and 
inbound response packets. 

Galloway shows that finish (FIN) packets should elicit ACK packets in response (see Fig. 
3). It would have been obvious to one of ordinary skill in the art at the time of the invention to 
further modify the system of Malan to track FIN packets in order to provide an additional basis 
for determining that traffic is malicious. 

Claim 54 corresponds to claim 45 and is rejected for the same reason as given above. 

Claim 59 is rejected under 35 U.S.C. 103(a) as being unpatentable over Malan (US 
Pub. No. 2002/0032871) in view of Poletto (US Pub. No. 2002/0032880), and further in view 
of Katoh (US Patent No. 5,949,757) and Ko et al. (US Patent No. 6,789,202, hereinafter 
"Ko"). 

Regarding claim 59, the combination further shows: 

• a second network domain (ISP-B) including a second routing device (comprising 
a router in ISP-B) for routing network traffic out of and into the second network 
domain (see Fig. 2 on p. 13 of Malan); 
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• wherein said monitor/regulator further monitors the network traffic routed by said 
second routing device (note that the system of Malan monitors traffic statistics 
sent from ISP routers: see second paragraph on p. 11 and Fig. 2 of Malan), and 
determines if at least a selected one of the first and second network domains is 
sourcing undesirable network traffic out of the selected one of the first and second 
network domains based on network traffic characteristics observed of network 
traffic routed through said first and second routing devices (comprising 
determining that the first network is the location of the attacker: see 
"StormDetector" on p. 12 of Malan). 
The combination does not explicitly show wherein said monitor/regulator, upon 
determining undesirable network traffics are being sourced out of at least one of said first and 
second network domains, lowers a threshold for concluding that undesirable network traffic are 
being sourced out of an other one of said first and second network domains. 

Ko shows a upon determining a network attack is occurring at one network domain (e.g., 
detecting an attack a first local network), lowers a threshold for concluding that a network attack 
is occurring at another network domain (e.g., concluding that fewer password tries are necessary 
to trigger a security response at a second local network; see col. 4, lines 30-39 and col. 5, lines 7- 
46). It would have been obvious to one of ordinary skill in the art at the time of the invention to 
further modify the system of Malan to lower thresholds in response to determining attacks as 
taught by Ko in order to allow respond more quickly to a large-scale coordinated attack (see Ko, 
col. 1, lines 15-28). 
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Claims 48 and 57 are rejected under 35 U.S.C. 103(a) as being unpatentable over 
Malan (US Pub. No. 2002/0032871) in view of Ko (US Patent No. 6,789,202). 

Regarding claim 48, Malan shows a network comprising: 

• a first network domain (for example, an enterprise network: see first paragraph 
under "StormDetector" on p. 12); 

• a first routing device (comprising an attacker's router) at a boundary between the 
first network domain and public internetworking fabric (comprising an ISP 
network: see Fig. 4 and the paragraph spanning pp. 14-15) to route network traffic 
between the first network domain and the public internetworking fabric; 
(implicitly disclosed as the typical functionality of a first-hop router: see last 
paragraph on p. 12) and 

• a second network domain (ISP-B) including a second routing device (comprising 
a router in ISP-B) for routing network traffic out of and into the second network 
domain (see Fig. 2 on p. 13 of Malan); 

• a monitor/regulator (comprising the StormDetector analysis engine) that monitors 
the network traffic routed by said first routing device and said second routing 
device (comprising "flow statistics": see second and third paragraphs under 
"StormDetector" on p. 12 and note that StormDetector can be used in "source and 
transit networks" and "an attacker's originating network"), and determines if at 
least a selected one of the first and second network domains is sourcing 
undesirable network traffic out of the selected one of the first and second network 
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domains (note that the system of Malan monitors traffic statistics sent from ISP 
routers: see second paragraph on p. 11 and Fig. 2 of Malan) based on network 
traffic characteristics observed of network traffic routed through said first and 
second routing devices (comprising determining that the first network is the 
location of the attacker: see "StormDetector" on p. 12 of Malan). 
Malan does not explicitly show wherein said monitor/regulator, upon determining 
undesirable network traffics are being sourced out of at least one of said first and second network 
domains, lowers a threshold for concluding that undesirable network traffic are being sourced out 
of an other one of said first and second network domains. 

Ko shows a upon determining a network attack is occurring at one network domain (e.g., 
detecting an attack a first local network), lowers a threshold for concluding that a network attack 
is occurring at another network domain (e.g., concluding that fewer password tries are necessary 
to trigger a security response at a second local network; see col. 4, lines 30-39 and col. 5, lines 7- 
46). It would have been obvious to one of ordinary skill in the art at the time of the invention to 
further modify the system of Malan to lower thresholds in response to determining attacks as 
taught by Ko in order to allow respond more quickly to a large-scale coordinated attack (see Ko, 
col. 1, lines 15-28). 

Claim 57 corresponds to claim 48 and is rejected for the same reasons as given above. 



Conclusion 
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